Malvertising: the new generation of cybercriminals are getting scarily professional

“One of the things that screams out of this report,” said Dave Ewart, director of product marketing at Blue Coat, “is that the criminals have got a lot smarter and more sophisticated.”

Dave Ewart, director of product marketing, Blue Coat

He was telling me about Blue Coat’s new Web Security Report 2011 (a damned good read for anyone interested in what the bad guys are doing today); and he gave me an example. “One of the things we look for in this report,” he explained, “is the top web attacks and the mechanisms used in them.” The top two are unsurprising. “Number one is the fake anti-malware scam (rogueware: ‘you’re infected but we can cure you if you just click here’). Number two is the false codec scam (‘your video player is out of date; download the latest version here if you want to see this video of Justin Bieber taking his clothes off on the beach while playing football with David Beckham and Lady Gaga’). But “Malvertising,” said Dave, “is brand new in at number three. It’s come from nowhere, and is an interesting new phenomenon.”

Malvertising has been around for a few years; but has now evolved into something quite worrying. Early versions were often just infected Flash advertisements; but the good guys have got better and better at recognising the bad guys’ infections. And the bad guys have got better and better at disguising themselves.

Consider, if you will, the nature of cybercrime. It’s purpose is to take your money. But cybercrime cannot do it through physical violence; so it has to do it through persuasion. The key element of almost all cybercrime is therefore a con – a hustle. ‘Hustle’ is the name of an excellent television programme on the BBC. It’s about professional Robin Hood style hustlers and hustling; and one of the things the hustlers demonstrate is that a successful hustle takes time, takes patience and probably a little outlay. This is something the cybercriminals have learned, and are using in the latest iteration of malvertising.

Hustle from the BBC: not to be confused with the bad guy hustlers

“The cybercriminals will provide an advertisement, like a banner ad, for some attractive, very realistic looking thing; and they will pay for the distribution of that ad through a reputable ad network.” What they’re doing is leveraging a ready-made and highly effective distribution system. But this malvertising is benign, dormant. “It will often lay in wait for months inside this multi-layered advertising network, almost like a sleeper cell. The longer the advert lives in the system the more likely it is to appear in search results, and the more likely it is to become a trusted element of a trusted web page. Two or three months, or maybe even five months later – wham – the sleeper cell suddenly bursts into life and the malware advert will, via five or six hops, take users to the malware host and deliver its payload.

…a relatively new ad domain that had existed for approximately six months had been checked several times for malware with clean ratings when it picked a day in early November to selectively target and deliver its cloaked malware payload. The next day it was gone. Developing clean reputations within ad networks, accepting categorizations and passing multiple sweeps for malware, cyber crime is very patient to develop valuable and trusted positions within Web advertising structures before launching attacks.

By not being afraid to spend a little to gain a lot; by being patient and mimicking physical world hustles, the new generation of cybercriminals are getting scarily ‘professional’.